Replace request@2.79.0 by request@2.88.0 (or latest)

khrome / ascii-art

A Node.js library for ansi codes, figlet fonts, ascii art and other ASCII graphics

MIT License

681 stars 287 forks source link

Replace request@2.79.0 by request@2.88.0 (or latest) #13

Closed yocarbo closed 5 years ago

yocarbo commented 5 years ago

Hello,

✗ Medium severity vuln found in tunnel-agent@0.4.3, introduced via ascii-art@1.4.4 Description: Uninitialized Memory Exposure Info: https://snyk.io/vuln/npm:tunnel-agent:20170305 From: ascii-art@1.4.4 > request@2.79.0 > tunnel-agent@0.4.3

✗ Medium severity vuln found in cryptiles@2.0.5, introduced via ascii-art@1.4.4 Description: Insecure Randomness Info: https://snyk.io/vuln/npm:cryptiles:20180710 From: ascii-art@1.4.4 > request@2.79.0 > hawk@3.1.3 > cryptiles@2.0.5

Regards,

khrome commented 5 years ago

so this is an exploit about using auth with unchecked user supplied credentials. The other issue is likewise around crypto that is not active or used in my application. Given that my use of request is an unauthenticated file transfer of text data, I would characterize my exposure surface to these issues as nonexistent. If this is the product of an institutional security autoscanner and we're just checking boxes in the name of security absolution, the right thing to do is submit a Pull Request with the change.

khrome commented 5 years ago

I had other changes to publish, so I made this change as well. Thanks for the report.

yocarbo commented 5 years ago

Thanks for update ;)